As we enter 2018, health information management (HIM) and compliance professionals have the opportunity to reflect on healthcare privacy and security in 2017, look at lessons learned, and make predictions as to what’s next.

In 2017, there were many natural disasters that took center stage and continue to play a role in healthcare— for example, disaster waivers. We also saw the defunding of ONC’s Chief Privacy Officer position. In addition to that, data security and breach notification issues grabbed headlines. I go more into detail on these items and offer predictions for 2018 in an InterviewNow podcast, which you can listen to here.

Health Information Management Best Practices

During 2017, data security and breach notification issues grabbed the headlines, and the Office for Civil Rights (OCR) was one of the most active regulators. Health Information Management (HIM) leaders can learn lessons from last year’s enforcement actions and apply the following best practices in 2018:

1) Know Where Your Risks Are
Knowing that cyber risk security issues are still out there, your organization needs to be aware of them, so you are able to respond and prepare for those types of attacks. Your organization should make sure to spend enough on cyber security, so that your IT department is better able to respond and act on attacks.

2) Educate and Train Employees
For a good percentage of these security and breach notification issues, there is a human factor involved. Knowledge is power. Training and educating your employees should be part of your organization’s due diligence. Employees need to know what they can and cannot click on and they also need to understand the type of phishing episodes that can occur. Another reason why this is important is because now at many organizations, employees bring their own devices into work. The due diligence with this has grown because with more and more things getting connected, the bigger the risk is for a breach.

3) Update System Patches
Validate that your IT team is current with software updates and patches to assure the latest security enhancements are applied to protect the data.

4) Look at Policies and Procedures
Make sure your organization has up to date policies and procedures. It is important to do internal auditing to make sure your employees understand and follow these policies and procedures. If you come across weaknesses during your internal auditing, be sure to address them as well.

OCR Wall of Shame Facelift, Intelligent Apps and Analytics

Now, more than ever, is the time to get your breach prevention and compliance measures in order, because the OCR wall of shame may get a facelift in 2018. The facelift could allow you to link over and see who also is involved from a Business Associate standpoint. I personally think the facelift could help people with their due diligence and reviews.

More things to look at in 2018 include intelligent apps and analytics. With all the new and advanced devices today, personal health information is much easier to track now. Once that tracked information becomes shared, it could become part of your doctor’s diagnostic tool kit. I think the availability of health data, if used correctly, could help the world become a better place.

To learn more about 2018 watch list items, including General Data Protection Regulation (GDPR), Internet of Things (IoT), research and de-identification, litigation, OCR updates and cyber-security, be sure to look for details about an upcoming webinar series, hosted by MRO, which will cover those items.

Sign Up for Future Blog Posts

InterviewsNowRita Bowen of MRO on what will HIPAA Privacy and Security Look Like in 2018
In an InterviewsNow podcast, MRO’s Rita Bowen, Vice President of Privacy, Compliance and HIM Policy discusses what HIPAA security will look like in 2018 including the defunding of the ONC Chief Privacy Officer position, how Intelligent Apps and Analytics are changing the world for privacy and security, and what OCR enforcement will look like and the OCR’s Wall of Shame facelift.

HFMASuccessfully Navigating the Surge in HEDIS Reviews
In a HFMA blog, MRO’s Greg Ford, Director of Requester Relations and Receivables Administration, offers insight and tips on how to prepare for HEDIS Reviews.

Three major types of payer record reviews are conducted every year: Healthcare Effectiveness Data and Information Set (HEDIS), Medicare Risk Adjustment, and Commercial Risk Adjustment. A HEDIS Review, in particular, is performed by a payer or health plan to measure the quality and effectiveness of care delivered to their covered patient populations. They are the smallest of the three major payer reviews and occur every year from January to mid-May.

As the volume of payer and health plan reviews continues to sky rocket, millions of patient records are requested. From 2016 to 2017, payer review requests to MRO clients increased by 14%, with HEDIS Review requests increasing from 2% to 3% of the total Release of Information requests processed by MRO nationally.

A recent article in HIM Briefings about HEDIS Reviews details benefits, lessons learned, and what to expect. Below are three important tips that are outlined for providers to prepare for the upcoming HEDIS Review season.

Tips for Managing Payer Requests During the Upcoming HEDIS Review Season

In working with payer record reviews, several practical strategies have emerged to minimize payer-provider abrasion and reduce operational costs. Providers should take a proactive approach and follow these three tips:

1) Engage early.
The National Committee for Quality Assurance (NCQA) is proactive in announcing which quality measures will be targeted for review in the year ahead. For example, the 2018 NCQA quality measures are now published and available to both providers and payers. Proactive providers should reach out to their contracted payers and health plans in December or January to discuss the upcoming HEDIS Review season. With the potential for thousands of medical records to be requested between January and May, two conversations are critical: expected volumes and reimbursement for the provider’s efforts. Keep in mind this dialogue sets the tone for the relationship.

2) Determine expected volumes.
The most important conversation that should occur between payer and provider is about determining the number of record requests that will be received. Be sure to plan ahead for the increased staff workload needed to produce the required medical record documentation. The number of requests depends on the size of the hospital or the healthcare system. Each payer has a designated HEDIS Review team responsible for the program. Contact the team lead or local health plan representative to schedule this conversation during the HEDIS Review planning period in December or January.

3) Set rate for records.
The initial perception in the industry suggested that providers could not charge payers for the time, manpower, and mailing costs associated with producing records for a HEDIS Review. However, this is not the case. Payers understand the tremendous staff burden on providers and are willing to reimburse them for their efforts.

How Your Release of Information Vendor Can Help

At MRO, we utilize our industry knowledge and “easy to work with” approach to create partnerships with payers and their vendors to streamline the processing of HEDIS Review, Medicare Risk Adjustment and Commercial Risk Adjustment projects. This process includes establishing a rate per chart for these projects, as payers are willing to pay for review requests regardless of the language in the managed care contracts. We have found that most payers are reasonable and understand the cost associated with producing these high-volume requests. Hence, why they are willing to pay for them. MRO ensures that the cost of producing these records is not a burden on our clients.
Watch the below video interview to learn more about reducing payer-provider abrasion, and what MRO is doing to help providers handle these payer review requests.